From 7e4c73ad2e2788c42b9de9c08abe04cb4ef3775b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ece=20=C3=96zalp?= Date: Mon, 19 Jul 2021 15:36:22 -0400 Subject: [PATCH] [CTI] Adds indicator match rule improvements (#97310) Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> --- .../signals/threat_mapping/get_threat_list.test.ts | 10 +++++----- .../signals/threat_mapping/get_threat_list.ts | 5 +++-- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threat_mapping/get_threat_list.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threat_mapping/get_threat_list.test.ts index 8d301f221b34..65dc3794123c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threat_mapping/get_threat_list.test.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threat_mapping/get_threat_list.test.ts @@ -16,7 +16,7 @@ describe('get_threat_signals', () => { index: ['index-123'], listItemIndex: 'list-index-123', }); - expect(sortOrder).toEqual([{ '@timestamp': 'asc' }]); + expect(sortOrder).toEqual([{ '@timestamp': 'desc' }]); }); test('it should return sort field of just tie_breaker_id if given no sort order for a list item index', () => { @@ -29,14 +29,14 @@ describe('get_threat_signals', () => { expect(sortOrder).toEqual([{ tie_breaker_id: 'asc' }]); }); - test('it should return sort field of timestamp with asc even if sortOrder is changed as it is hard wired in', () => { + test('it should return sort field of timestamp with desc even if sortOrder is changed as it is hard wired in', () => { const sortOrder = getSortWithTieBreaker({ sortField: undefined, sortOrder: 'desc', index: ['index-123'], listItemIndex: 'list-index-123', }); - expect(sortOrder).toEqual([{ '@timestamp': 'asc' }]); + expect(sortOrder).toEqual([{ '@timestamp': 'desc' }]); }); test('it should return sort field of tie_breaker_id with asc even if sortOrder is changed as it is hard wired in for a list item index', () => { @@ -56,7 +56,7 @@ describe('get_threat_signals', () => { index: ['index-123'], listItemIndex: 'list-index-123', }); - expect(sortOrder).toEqual([{ 'some-field': 'asc', '@timestamp': 'asc' }]); + expect(sortOrder).toEqual([{ 'some-field': 'asc', '@timestamp': 'desc' }]); }); test('it should return sort field of an extra field if given one for a list item index', () => { @@ -76,7 +76,7 @@ describe('get_threat_signals', () => { index: ['index-123'], listItemIndex: 'list-index-123', }); - expect(sortOrder).toEqual([{ 'some-field': 'desc', '@timestamp': 'asc' }]); + expect(sortOrder).toEqual([{ 'some-field': 'desc', '@timestamp': 'desc' }]); }); test('it should return sort field of desc if given one for a list item index', () => { diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threat_mapping/get_threat_list.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threat_mapping/get_threat_list.ts index 3ff23e27547b..8fab8f30fb3d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threat_mapping/get_threat_list.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threat_mapping/get_threat_list.ts @@ -70,6 +70,7 @@ export const getThreatList = async ({ listItemIndex: listClient.getListItemIndex(), }), }, + track_total_hits: false, ignore_unavailable: true, index, size: calculatedPerPage, @@ -101,9 +102,9 @@ export const getSortWithTieBreaker = ({ } } else { if (sortField != null) { - return [{ [sortField]: ascOrDesc, '@timestamp': 'asc' }]; + return [{ [sortField]: ascOrDesc, '@timestamp': 'desc' }]; } else { - return [{ '@timestamp': 'asc' }]; + return [{ '@timestamp': 'desc' }]; } } };